ClawHub
Code PluginExecutes codesource-linked

StepFun OpenClaw Plugin

StepFun provider plugin for OpenClaw (prototype)

Community code plugin. Review compatibility and verification before install.
@hengm3467/stepfun-openclaw-plugin · runtime id stepfun
Install
openclaw plugins install clawhub:@hengm3467/stepfun-openclaw-plugin
Latest Release
Version 0.1.0
Compatibility
{
  "builtWithOpenClawVersion": "0.1.0",
  "minGatewayVersion": ">=2026.3.24",
  "pluginApiRange": ">=2026.3.24"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code",
    "provider:stepfun",
    "provider:stepfun-plan"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [
    "stepfun",
    "stepfun-plan"
  ],
  "runtimeId": "stepfun",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code: the package registers two model providers (stepfun, stepfun-plan) and implements API-key auth for StepFun endpoints. There are no unrelated credentials, binaries, or external services requested beyond StepFun endpoints. Minor metadata mismatch: the top-level registry summary lists "Required env vars: none" while the plugin manifest and code expect STEPFUN_API_KEY.
Instruction Scope
SKILL.md provides local-install and verification steps and only instructs setting OpenClaw-specific environment variables (OPENCLAW_STATE_DIR, OPENCLAW_CONFIG_PATH) and the provider API key. It does not ask the agent to read unrelated system files, transmit data to unexpected endpoints, or perform broad discovery beyond what a provider plugin needs.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The package includes TypeScript source files (index.ts, provider-catalog.ts) and an openclaw.plugin.json manifest — typical for a plugin prototype. No downloads from arbitrary URLs or archive extraction are used.
Credentials
The plugin uses a single provider credential (STEPFUN_API_KEY) which is proportionate to a model-provider plugin. Note the registry summary omitted required env vars while openclaw.plugin.json and the code clearly reference STEPFUN_API_KEY — this inconsistency should be fixed but is not itself malicious.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global system settings. It will create provider auth profiles in OpenClaw (expected behavior for a provider plugin). The default allow-autonomous-invocation setting is unchanged — normal for plugins and not by itself a concern.
Assessment
This appears to be a straightforward OpenClaw provider plugin prototype. Before installing or supplying credentials: (1) verify you trust the package source (the repository URL is included in package.json); (2) prefer to test in isolation using the SKILL.md recommended OPENCLAW_STATE_DIR and OPENCLAW_CONFIG_PATH to avoid touching your real OpenClaw config; (3) only provide the STEPFUN_API_KEY if you intend to use the StepFun provider; and (4) consider asking the author to correct the metadata inconsistency (registry summary vs openclaw.plugin.json) so required env vars are clear.
Verification
{
  "hasProvenance": false,
  "scanStatus": "clean",
  "scope": "artifact-only",
  "sourceCommit": "78ddd1d8b835c1c248915b82f46387496f917bb5",
  "sourceRepo": "hengm3467/stepfun-openclaw-plugin",
  "sourceTag": "main",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "0.1.0"
}

StepFun External Plugin Example

This directory is a repo-local prototype of a standalone StepFun provider plugin. It is intentionally outside extensions/ so OpenClaw does not treat it as a bundled plugin during metadata generation, provider registry wiring, or default enablement.

When you split this into its own repository, you can copy this directory almost as-is and then replace the package metadata with your real publish target.

Recommended standalone repo layout

openclaw-stepfun-plugin/
  index.ts
  provider-catalog.ts
  openclaw.plugin.json
  package.json
  README.md

Local install

From the standalone plugin repo root:

tmp="$(mktemp -d)"
printf '{}\n' > "$tmp/openclaw.json"
OPENCLAW_STATE_DIR="$tmp" \
OPENCLAW_CONFIG_PATH="$tmp/openclaw.json" \
openclaw plugins install .

Using only OPENCLAW_STATE_DIR is not enough when you already have an existing default config on disk. For an isolated trial run, set both environment variables.

Verify the loaded plugin

OPENCLAW_STATE_DIR="$tmp" \
OPENCLAW_CONFIG_PATH="$tmp/openclaw.json" \
STEPFUN_API_KEY=test-key \
openclaw plugins inspect stepfun --json

Check that the inspect output includes both provider ids:

  • stepfun
  • stepfun-plan

Current behavior

  • Provider ids: stepfun, stepfun-plan
  • Shared env var: STEPFUN_API_KEY
  • Four setup choices:
    • Standard API key (China)
    • Step Plan API key (China)
    • Standard API key (International)
    • Step Plan API key (International)
  • Env-only discovery defaults to the international endpoints
  • Setup writes auth profiles for both stepfun and stepfun-plan, so the plugin does not rely on core auth normalization for *-plan variants

First publish checklist

  • Replace the example package name with the real npm or ClawHub package name you want to publish.
  • Update the version and repository metadata in package.json.
  • Keep openclaw.install.minHostVersion aligned with the oldest OpenClaw build you intend to support.
  • If you publish source files, keep openclaw.extensions pointing at ./index.ts.
  • If you publish built output instead, change openclaw.extensions to the built entry path, typically ./dist/index.js.
  • Run one local install and one plugins inspect pass before attempting ClawHub publish.